Skip to content

Commit 037cde0

Browse files
snosratiershadsnosratiershad
committed
feat(postgresql): configurable data source credentials for postgresql
exporter Signed-off-by: Salar Nosrati-Ershad <snosratiershad@gmail.com>
1 parent e3296a8 commit 037cde0

File tree

6 files changed

+45
-4
lines changed

6 files changed

+45
-4
lines changed

bitnami/postgresql/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,4 +37,4 @@ maintainers:
3737
name: postgresql
3838
sources:
3939
- https://github.com/bitnami/charts/tree/main/bitnami/postgresql
40-
version: 17.0.2
40+
version: 17.1.0

bitnami/postgresql/README.md

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -373,6 +373,7 @@ If you already have data in it, you will fail to sync to standby nodes for all c
373373
| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
374374
| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
375375
| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
376+
| `global.postgresql.auth.secretKeys.metricsPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.metricsPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` |
376377
| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` |
377378
| `global.compatibility.openshift.adaptSecurityContext` | Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation) | `auto` |
378379

@@ -410,10 +411,13 @@ If you already have data in it, you will fail to sync to standby nodes for all c
410411
| `auth.database` | Name for a custom database to create | `""` |
411412
| `auth.replicationUsername` | Name of the replication user | `repl_user` |
412413
| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` is provided | `""` |
414+
| `auth.metricsUsername` | Name of the metrics user used by postgresql exporter | `""` |
415+
| `auth.metricsPassword` | Password for the metrics user used by postgresql exporter. Ignored if `auth.existingSecret` is provided | `""` |
413416
| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` |
414417
| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` |
415418
| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` |
416419
| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` |
420+
| `auth.secretKeys.metricsPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `metrics-password` |
417421
| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `true` |
418422
| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` |
419423
| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` |

bitnami/postgresql/templates/_helpers.tpl

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -160,6 +160,21 @@ Get the user-password key.
160160
{{- end -}}
161161
{{- end -}}
162162

163+
{{/*
164+
Get metrics-password key.
165+
*/}}
166+
{{- define "postgresql.v1.metricsPasswordKey" -}}
167+
{{- if or .Values.global.auth.existingSecret .Values.auth.existingSecret -}}
168+
{{- if .Values.global.postgresql.auth.metricsPasswordKey -}}
169+
{{- printf "%s" (tpl .Values.global.postgresql.auth.metricsPasswordKey $) -}}
170+
{{- else if .Values.auth.metricsPasswordKey -}}
171+
{{- printf "%s" (tpl .Values.auth.metricsPasswordKey $) -}}
172+
{{- end -}}
173+
{{- else -}}
174+
{{- "metrics-password" -}}
175+
{{- end -}}
176+
{{- end -}}
177+
163178
{{/*
164179
Return true if a secret object should be created
165180
*/}}

bitnami/postgresql/templates/primary/statefulset.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -539,16 +539,24 @@ spec:
539539
value: {{ printf "127.0.0.1:%d/postgres?sslmode=disable" (int (include "postgresql.v1.service.port" .)) }}
540540
{{- if .Values.auth.usePasswordFiles }}
541541
- name: DATA_SOURCE_PASS_FILE
542+
{{- if and (not (empty .Values.auth.metricsUsername)) (ne .Values.auth.metricsUsername "postgres")}}
543+
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.metricsPasswordKey" .) }}
544+
{{- else }}
542545
value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (include "postgresql.v1.adminPasswordKey" .) }}
546+
{{- end }}
543547
{{- else }}
544548
- name: DATA_SOURCE_PASS
545549
valueFrom:
546550
secretKeyRef:
547551
name: {{ include "postgresql.v1.secretName" . }}
552+
{{- if and (not (empty .Values.auth.metricsUsername)) (ne .Values.auth.metricsUsername "postgres")}}
553+
key: {{ include "postgresql.v1.metricsPasswordKey" . }}
554+
{{- else }}
548555
key: {{ include "postgresql.v1.adminPasswordKey" . }}
556+
{{- end }}
549557
{{- end }}
550558
- name: DATA_SOURCE_USER
551-
value: "postgres"
559+
value: {{ coalesce .Values.auth.metricsUsername "postgres" }}
552560
{{- if .Values.metrics.extraEnvVars }}
553561
{{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }}
554562
{{- end }}

bitnami/postgresql/templates/secrets.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,10 @@ data:
5353
{{- if $replicationPassword }}
5454
replication-password: {{ $replicationPassword | b64enc | quote }}
5555
{{- end }}
56+
# We don't auto-generate metrics password when it's not provided as we do for other passwords
57+
{{- if and .Values.metrics.enabled (and (not (empty .Values.auth.metricsPassword)) (ne .Values.auth.metricsPassword "postgres")) }}
58+
metrics-password: {{ .Values.auth.metricsPassword | b64enc | quote }}
59+
{{- end }}
5660
# We don't auto-generate LDAP password when it's not provided as we do for other passwords
5761
{{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }}
5862
ldap-password: {{ $ldapPassword | b64enc | quote }}

bitnami/postgresql/values.yaml

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ global:
1515
##
1616
imagePullSecrets: []
1717
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
18-
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
18+
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
1919
##
2020
defaultStorageClass: ""
2121
storageClass: ""
@@ -34,9 +34,10 @@ global:
3434
## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
3535
## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
3636
## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
37+
## @param global.postgresql.auth.secretKeys.metricsPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.metricsPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set.
3738
##
3839
fullnameOverride: ""
39-
40+
4041
auth:
4142
postgresPassword: ""
4243
username: ""
@@ -47,6 +48,7 @@ global:
4748
adminPasswordKey: ""
4849
userPasswordKey: ""
4950
replicationPasswordKey: ""
51+
metricsPasswordKey: ""
5052
## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`)
5153
##
5254
service:
@@ -165,17 +167,25 @@ auth:
165167
## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` is provided
166168
##
167169
replicationPassword: ""
170+
## @param auth.metricsUsername Name of the metrics user used by postgresql exporter
171+
##
172+
metricsUsername: ""
173+
## @param auth.metricsPassword Password for the metrics user used by postgresql exporter. Ignored if `auth.existingSecret` is provided
174+
##
175+
metricsPassword: ""
168176
## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case.
169177
##
170178
existingSecret: ""
171179
## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
172180
## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
173181
## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
182+
## @param auth.secretKeys.metricsPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set.
174183
##
175184
secretKeys:
176185
adminPasswordKey: postgres-password
177186
userPasswordKey: password
178187
replicationPasswordKey: replication-password
188+
metricsPasswordKey: metrics-password
179189
## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable
180190
##
181191
usePasswordFiles: true

0 commit comments

Comments
 (0)